SlideShare a Scribd company logo

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 Critical Habits of Effective Security Managers

Download as PPTX, PDF
C
centralohioissa

Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table? Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security. Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals. Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table? Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security. Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.

Technology
1 of 41
How to Secure Things & Influence People 10 Critical Habits of Effective Security Managers
Introduction  Why are we here?  What are our goals?
Chris Clymer  Director of Security Services for MRK  CISO for companies ranging from SMB’s to multi- billion dollar corporations  Former board member for NEOISF & co-host of the Security Justice podcast  Aspiring Ironman, amateur saberist I collaborate with my peers to identify and effectively manage risks which my clients are confronted with
Jack Nichelson  Director of Infrastructure & Security for Chart Industries.  Executive MBA from Baldwin-Wallace University  Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value.  Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team. I defend my companies competitive advantage by helping solve business problems through technology to work faster and safer. “Solving Problems, is my Passion”
Acknowledgements  Dennis Sommer, COO SecureState  Steve Hendricks, CMO RedIron  Steve Holt, CIO Chart Industries  David Hilmer, VP & CIO Graftech  Matt LoPiccolo, VP & CIO Swagelok  Chuck Norman, Sr. Mgr. Swagelok  Carl Kessler, VP & CIO First Federal  Matt Neely, Dir. Strategy SecureState  Rich Wildermuth, Manager PWC  Craig Shular, CEO GrafTech  Tom Wojnarowski, CIO RITA  Troy Thomas, SVP Wells Fargo  Erick Asmussen, VP & CFO  Jason Middaugh, Mgr. Cliffs Special thanks to all of the mentors who have helped us through these lessons
The Ten Habits Listening Positivity Know Your Stakeholders Service Just Say Maybe Don’t be the Smartest Guy in the Room Keep it Simple Execution Walk the Talk Self-Reflection
Habit I: Listening
Habit I: Listening “Listen, Learn and Then Lead”  Leading by Listening – Desire to help others  High Emotional Intelligence (EQ) is key, you need to care about everyone succeeding at personal & career goals  The day people stop bringing you problems is the day you stop leading  Act decisively, be firm yet sensitive and empathetic People want to be successful, so take the time to listen, respect, be humble and then help them reach their goals. Your IQ got you in the door, your EQ will get you to the boardroom
Putting it into action “Good Leaders Ask Great Questions”  Listen to the total message  Prove your understanding by using nonverbal signals  Use open-ended questions & probes  Paraphrase what you hear and show understanding  Don’t just say “hi”, have a more personal conversation Effective managers spend a good part of their workday listening to other people and asking good questions. Effective listening includes a four-step process to ensure understanding:
Habit II: Positivity
Habit II: Positivity  Security is often fixated on finding the negatives: missing patches, misconfigured systems. It becomes very easy to be Mr. Negativity  Security is often in a position of asking others for help, not dictating to them  Who would you rather help…someone encouraging, or discouraging?  Perpetual optimism is a force multiplier…if you provide positive energy, those around you will be willing to work much harder towards your goals To motivate those around you to take action, positivity will always trump negativity “Perpetual Optimism is a Force Multiplier” – Colin Powell
Putting it into action  Aim to make “heroes” not “zeroes”  Actively look for ways to encourage and help your peers  Actively avoid “beating them up” with negativity  People want to be successful, help them accomplish their personal goals  Have conversations to learn what their personal goals are  Find projects that will help them achieve these  If you have knowledge or connections that could help, share them Using positivity to achieve your security goals takes several steps:
Habit III: Know Your Stakeholders
Habit III: Know Your Stakeholders  Security is about a lot more than just you  You are taking actions to protect assets in the stewardship of others  You are making choices which will impact the ways those around you conduct their business  No one cares what you know until you show them how much you care To make stuff that matters, you have to know what matters so work on solving the right problems.
Putting it into action  Identify stakeholders in your security program  This is anyone affected by what you are doing  Could be execs, IT, sales, marketing, manufacturing, customers…anyone  Learn what their drivers are, both personal & professional  “Know their pain”  Plan to have “The meeting before the meeting”  Meet with stakeholders individually before bringing them together for a decision.  You’ll know the decision before the real meeting even happens Effective managers take the time to identify stakeholders and know their pain points.
Habit IV: Service
Habit IV: Service  Security is a support role…your job is to help others safely do the things that make your organization productive  You cannot do this job without help  Your employees are not subjects for you to dictate rules to…they are your customers  If you treat them well, they will be your “army of human sensors”, bringing you all kinds of useful intel, and helping to enforce policies you’ve developed to protect them We often focus on the problem and forget about the customer. They will forget the problem you solved before they forget how you made them feel.
Putting it into action  Know who your customers are  Aim to create “stark raving fans”  Make sure they feel comfortable  Make sure they feel “heard”  Create a positive feedback loop To take care of your “customers”, keep the following steps in mind:
Habit V: Just Say Maybe
Habit V: Just Say Maybe  Security has often been the Department of “No”  Taking a hard stance as a “cyber policeman” can seem to work…until you become perceived as an obstacle  If you are an obstacle, process will begin to be routed around you Effective leadership requires compromise and empathy for the other person.
Putting it into action  Identify the core requirements (Yours & Theirs)  Facilitate a Risk vs. Reward conversation to balance security  Resist the urge to be a “cyber policeman.”  Empathize with other’s problems…but still be comfortable taking a stand  Collaborate on the solution where everyone can win Don’t take a hard line on a topic before you have determined everyone's “must's” and “want’s”. This approach will ensure clear commutation, fair compromise and a better solution. It’s OK to be uncomfortable with the results
Habit VI: Don’t Be the Smartest Guy in the Room
Habit VI: Don’t Be the Smartest Guy in the Room  Many of us performed other IT roles before moving into security  This is often seen as a move “up”, which makes it easy to feel that you know your peers jobs as well as your own  We also often feel that no one is qualified to do the challenging job of security other than those of us currently charged with it  It is not your job to out-do or “call out” your peers  No one cares who came up with the idea, just that issues are solved To achieve results we need to build partnerships, not demonstrate knowledge
Putting it into action  When in a meeting, listen more than you talk  Think very hard before speaking: are you contributing to the discussion, or are you demonstrating your knowledge?  Make your goal finding the best solution for an identified problem…not convincing everyone to accept your solution unchanged  Do not be afraid to let others fail…failure drives personal growth To build strong partnerships with their peers, an effective manager will strive to do the following in all of their social interactions
Habit VII: Keep it Simple
Habit VII: Keep it Simple  Security is a complex field, characterized by the convergence points between many others  It is your job to deal with this complexity, and distill it into simple actions for your stakeholders  Their main job is something else…when you’re asking for their help, you want it to be as simple and frictionless as possible  Be on a mission to be results oriented A quick win with a simple solution is better then holding your ground for the elegant solution. Don’t let perfect become the enemy of good.
Putting it into action  Distill complex security problems into simple elevator pitches you can easily convey to multiple layers of your organization  Hone and practice your message, you will be repeating it often  Don’t become so invested in an elegant solution that you lose sight of the original problem  Find quick wins that you can chain together into larger ones “Fight the battles you can win” – Sun Tzu
Habit VIII: Execution
Habit VIII: Execution  This may seem obvious, but you need to execute on your plans  Because security is so dependent on others, its easy to develop plans which are never executed…and place the blame on others  We also often spend months, or years of long effort selling our ideas. Once others finally become bought-in, it can feel like the hard work is done  If you have a history of struggling with execution, others will not want to support new projects…no matter how significant the vulnerability you are addressing Have a plan, and execute, execute, execute
Putting it into action  Once you have buy-in to security projects, have laser-focus on execution…you may not get a second chance to try it  Security does not make your company money. If a project stumbles or impacts the bottom line negatively, its easy to pull it out  Partner with others, but take responsibility for execution  Have a plan, follow it, measure your progress  Use a project manager if you can  You don’t know what you can get away with until you try it Security managers who move from simply identifying problems to achieving concrete results will typically follow these similar steps
Habit VIII: Walk The Talk
Habit VIII: Walk the Talk  In security it’s easy to feel we’re an exception to some of the rules  In some cases, we may actually need to be  As the “policeman” you must hold yourself to a higher standard, because there’s often no one else to hold you accountable  Follow the policies you set, or expect others to follow your lead in ignoring them You must lead by example, do not diminish your authority by disrespecting your rules
Putting it into action  Maintain as few exceptions as possible, and be sure you have a strong justification for each  Cracked down on admin rights? Give thought to where you really need your own  Pushing standard server builds? Don’t maintain a security system with a “special” build because you don’t trust your server teams, or feel your requirements are unique  Follow any policies you’ve set to the tee, and do so visibly
Habit X: Self-Reflection
Habit X: Self-Reflection  In security we are often perfectionists…accepting failures can be a very difficult thing  Reality is, we will have them  Without awareness of your own strengths and weaknesses you will fail to meet your own potential, and continue to be stymied by the same obstacles The most important person for you to manage effectively is yourself. To grow personally and professionally you need to know yourself before you can help others. “Know the enemy and know yourself and you will never be defeated” – Sun Tzu
Putting it into action  Put a lot of thought into identifying your own areas of weakness  Have a plan for improving these  These will be iterative improvements over time, not one-time things  More about the journey then the destination…you will stumble along the way  Work with a mentor  You need a second opinion on what your areas of weakness are  You also want someone to keep you honest in how you’re progressing Self-reflection is a challenge. Effective managers will follow these steps, repeat them often, and not be discouraged when they stumble along the way
The Ten Habits Listening Positivity Know Your Stakeholders Service Just Say Maybe Don’t be the Smartest Guy in the Room Keep it Simple Execution Walk the Talk Self-Reflection
References  You Don’t Need a Title to Be a Leader – Mark Sanborn  Five Temptations of a CEO - Patrick M. Lencioni  The Art of War for Managers – Gerald Michaelson/Sun Tzu  The Sandler Sales Method – David H Sandler  How to Win Friends and Influence People – Dale Carnegie Stephen Covey  The Fifth Discipline – Pete Senge  Leading Change – John Kotter  The Servant – James Hunter  The New Leaders 100 Day Action Plan – George Bradt  Good To Great – Jim Collins  Crucial Conversations – Kerry Patterson
Contact Info Chris Chris@ChrisClymer.com Twitter: @ChrisClymer Jack Jack@Nichelson.net Twitter: @Jack0lope
Q & A
Networking  No time like the present to put your soft skills to work  Say hi to your neighbor…what can they teach you about this topic?

Recommended

Bill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-SuiteBill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-Suite
centralohioissa
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
centralohioissa
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?
centralohioissa
 
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
centralohioissa
 
RSA 2017 - CISO's 5 steps to Success
RSA 2017 - CISO's 5 steps to SuccessRSA 2017 - CISO's 5 steps to Success
RSA 2017 - CISO's 5 steps to Success
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience
Michael Bowers
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
MichaelSadeghiPhDABD
 
Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!
Spiceworks Ziff Davis
 

Recommended

Bill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-SuiteBill Lisse - Communicating Security Across the C-Suite
Bill Lisse - Communicating Security Across the C-Suite
centralohioissa
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
centralohioissa
 
Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?Tre Smith - From Decision to Implementation: Who's On First?
Tre Smith - From Decision to Implementation: Who's On First?
centralohioissa
 
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
centralohioissa
 
RSA 2017 - CISO's 5 steps to Success
RSA 2017 - CISO's 5 steps to SuccessRSA 2017 - CISO's 5 steps to Success
RSA 2017 - CISO's 5 steps to Success
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience
Michael Bowers
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
MichaelSadeghiPhDABD
 
Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!
Spiceworks Ziff Davis
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
The Future of Employment Law
The Future of Employment LawThe Future of Employment Law
The Future of Employment Law
Dan Michaluk
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breach
Dan Michaluk
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
Dan Michaluk
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016
Dan Michaluk
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
Dan Michaluk
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
SurfWatch Labs
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
Evan Francen
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In IT
pbhugenberg3
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)
Dan Michaluk
 
The Perimeter within Modern Business - does it exist?
The Perimeter within Modern Business - does it exist?The Perimeter within Modern Business - does it exist?
The Perimeter within Modern Business - does it exist?
ZoneFox
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
Priyanka Aash
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented culture
Jack Nichelson
 
Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk Management
Social Tables
 
Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspective
canadianlawyer
 
Continuing Education Conferance
Continuing Education ConferanceContinuing Education Conferance
Continuing Education Conferance
Tommy Riggins
 
Apsg cm4020 - event
Apsg cm4020 - eventApsg cm4020 - event
Apsg cm4020 - event
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data? Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data?
Bianca Mueller, LL.M.
 
The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017
Jack Nichelson
 
Creating a Results Oriented Culture
Creating a Results Oriented CultureCreating a Results Oriented Culture
Creating a Results Oriented Culture
Jack Nichelson
 
10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers
Jack Nichelson
 
Program execution: an inconvenient truth!
Program execution: an inconvenient truth!Program execution: an inconvenient truth!
Program execution: an inconvenient truth!
Mentor
 

More Related Content

What's hot

Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
The Future of Employment Law
The Future of Employment LawThe Future of Employment Law
The Future of Employment Law
Dan Michaluk
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breach
Dan Michaluk
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
Dan Michaluk
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016
Dan Michaluk
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
Dan Michaluk
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
SurfWatch Labs
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
Evan Francen
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In IT
pbhugenberg3
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)
Dan Michaluk
 
The Perimeter within Modern Business - does it exist?
The Perimeter within Modern Business - does it exist?The Perimeter within Modern Business - does it exist?
The Perimeter within Modern Business - does it exist?
ZoneFox
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
Priyanka Aash
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented culture
Jack Nichelson
 
Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk Management
Social Tables
 
Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspective
canadianlawyer
 
Continuing Education Conferance
Continuing Education ConferanceContinuing Education Conferance
Continuing Education Conferance
Tommy Riggins
 
Apsg cm4020 - event
Apsg cm4020 - eventApsg cm4020 - event
Apsg cm4020 - event
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data? Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data?
Bianca Mueller, LL.M.
 
The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017
Jack Nichelson
 
Creating a Results Oriented Culture
Creating a Results Oriented CultureCreating a Results Oriented Culture
Creating a Results Oriented Culture
Jack Nichelson
 

What's hot (20)

Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
The Future of Employment Law
The Future of Employment LawThe Future of Employment Law
The Future of Employment Law
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breach
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In IT
 
Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)Advantage ppt data breaches km approved - final (djm notes)
Advantage ppt data breaches km approved - final (djm notes)
 
The Perimeter within Modern Business - does it exist?
The Perimeter within Modern Business - does it exist?The Perimeter within Modern Business - does it exist?
The Perimeter within Modern Business - does it exist?
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
 
Creating a results oriented culture
Creating a results oriented cultureCreating a results oriented culture
Creating a results oriented culture
 
Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk Management
 
Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspective
 
Continuing Education Conferance
Continuing Education ConferanceContinuing Education Conferance
Continuing Education Conferance
 
Apsg cm4020 - event
Apsg cm4020 - eventApsg cm4020 - event
Apsg cm4020 - event
 
Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data? Everyone is talking Cloud - How secure is your data?
Everyone is talking Cloud - How secure is your data?
 
The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017The kickstarter to measuring what matters Evanta CISO 2017
The kickstarter to measuring what matters Evanta CISO 2017
 
Creating a Results Oriented Culture
Creating a Results Oriented CultureCreating a Results Oriented Culture
Creating a Results Oriented Culture
 

Similar to Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 Critical Habits of Effective Security Managers

10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers
Jack Nichelson
 
Program execution: an inconvenient truth!
Program execution: an inconvenient truth!Program execution: an inconvenient truth!
Program execution: an inconvenient truth!
Mentor
 
Its not a bug it's a feature - Seattle B sides 2019
Its not a bug it's a feature - Seattle B sides 2019Its not a bug it's a feature - Seattle B sides 2019
Its not a bug it's a feature - Seattle B sides 2019
Brian Harden
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn
 
Project Communication: Walk the Talk
Project Communication: Walk the TalkProject Communication: Walk the Talk
Project Communication: Walk the Talk
Alison Sigmon, M.Ed., PMP
 
1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx
christiandean12115
 
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 KeynoteThe Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
Veracode
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LG
Brian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Building Trust
Building TrustBuilding Trust
Building Trust
Ron Wilkins
 
L1 1.1 10 things you need to know before doing your own qualitative research
L1 1.1 10 things you need to know before doing your own qualitative researchL1 1.1 10 things you need to know before doing your own qualitative research
L1 1.1 10 things you need to know before doing your own qualitative research
Joanna Chrzanowska
 
Super Strategy in Decision Making
Super Strategy in Decision MakingSuper Strategy in Decision Making
Super Strategy in Decision Making
Maxwell Ranasinghe
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
danielblander
 
Security social selling e book2
Security social selling e book2Security social selling e book2
Security social selling e book2
NeuronLeaders
 
How to Win the Hearts and Minds of Decision Makers
How to Win the Hearts and Minds of Decision MakersHow to Win the Hearts and Minds of Decision Makers
How to Win the Hearts and Minds of Decision Makers
pbehnia
 
7 Secrets to Transform your Safety Communication Skills
7 Secrets to Transform your Safety Communication Skills7 Secrets to Transform your Safety Communication Skills
7 Secrets to Transform your Safety Communication Skills
Digicast Productions
 
Is My Prospect Qualified--and Other Great Sales Questions
Is My Prospect Qualified--and Other Great Sales QuestionsIs My Prospect Qualified--and Other Great Sales Questions
Is My Prospect Qualified--and Other Great Sales Questions
Contrary Domino ®, Inc.
 
Seven steps to building a trusting workplace
Seven steps to building a trusting workplaceSeven steps to building a trusting workplace
Seven steps to building a trusting workplace
Idoinspire
 
Monroes motivated sequence
Monroes motivated sequenceMonroes motivated sequence
Monroes motivated sequence
Janna Valencia
 
Monroes motivated sequence
Monroes motivated sequenceMonroes motivated sequence
Monroes motivated sequence
Janna Valencia
 
Overcoming corporate resistance to social media
Overcoming corporate resistance to social mediaOvercoming corporate resistance to social media
Overcoming corporate resistance to social media
Emma Hamer
 

Similar to Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 Critical Habits of Effective Security Managers (20)

10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers10 Critical Habits of Effective Security Managers
10 Critical Habits of Effective Security Managers
 
Program execution: an inconvenient truth!
Program execution: an inconvenient truth!Program execution: an inconvenient truth!
Program execution: an inconvenient truth!
 
Its not a bug it's a feature - Seattle B sides 2019
Its not a bug it's a feature - Seattle B sides 2019Its not a bug it's a feature - Seattle B sides 2019
Its not a bug it's a feature - Seattle B sides 2019
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Project Communication: Walk the Talk
Project Communication: Walk the TalkProject Communication: Walk the Talk
Project Communication: Walk the Talk
 
1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx
 
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 KeynoteThe Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LG
 
Building Trust
Building TrustBuilding Trust
Building Trust
 
L1 1.1 10 things you need to know before doing your own qualitative research
L1 1.1 10 things you need to know before doing your own qualitative researchL1 1.1 10 things you need to know before doing your own qualitative research
L1 1.1 10 things you need to know before doing your own qualitative research
 
Super Strategy in Decision Making
Super Strategy in Decision MakingSuper Strategy in Decision Making
Super Strategy in Decision Making
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
 
Security social selling e book2
Security social selling e book2Security social selling e book2
Security social selling e book2
 
How to Win the Hearts and Minds of Decision Makers
How to Win the Hearts and Minds of Decision MakersHow to Win the Hearts and Minds of Decision Makers
How to Win the Hearts and Minds of Decision Makers
 
7 Secrets to Transform your Safety Communication Skills
7 Secrets to Transform your Safety Communication Skills7 Secrets to Transform your Safety Communication Skills
7 Secrets to Transform your Safety Communication Skills
 
Is My Prospect Qualified--and Other Great Sales Questions
Is My Prospect Qualified--and Other Great Sales QuestionsIs My Prospect Qualified--and Other Great Sales Questions
Is My Prospect Qualified--and Other Great Sales Questions
 
Seven steps to building a trusting workplace
Seven steps to building a trusting workplaceSeven steps to building a trusting workplace
Seven steps to building a trusting workplace
 
Monroes motivated sequence
Monroes motivated sequenceMonroes motivated sequence
Monroes motivated sequence
 
Monroes motivated sequence
Monroes motivated sequenceMonroes motivated sequence
Monroes motivated sequence
 
Overcoming corporate resistance to social media
Overcoming corporate resistance to social mediaOvercoming corporate resistance to social media
Overcoming corporate resistance to social media
 

More from centralohioissa

Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
centralohioissa
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
centralohioissa
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
centralohioissa
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
centralohioissa
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
centralohioissa
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
centralohioissa
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
centralohioissa
 
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a HospitalSean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
centralohioissa
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
centralohioissa
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chain
centralohioissa
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
centralohioissa
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
centralohioissa
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligence
centralohioissa
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
centralohioissa
 
Jim Libersky: Cyber Security - Super Bowl 50
Jim Libersky: Cyber Security - Super Bowl 50Jim Libersky: Cyber Security - Super Bowl 50
Jim Libersky: Cyber Security - Super Bowl 50
centralohioissa
 

More from centralohioissa (20)

Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
 
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a HospitalSean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack ChainRafeeq Rehman - Breaking the Phishing Attack Chain
Rafeeq Rehman - Breaking the Phishing Attack Chain
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligence
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
 
Jim Libersky: Cyber Security - Super Bowl 50
Jim Libersky: Cyber Security - Super Bowl 50Jim Libersky: Cyber Security - Super Bowl 50
Jim Libersky: Cyber Security - Super Bowl 50
 

Recently uploaded

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 

Recently uploaded (20)

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 Critical Habits of Effective Security Managers

  • 1. How to Secure Things & Influence People 10 Critical Habits of Effective Security Managers
  • 2. Introduction  Why are we here?  What are our goals?
  • 3. Chris Clymer  Director of Security Services for MRK  CISO for companies ranging from SMB’s to multi- billion dollar corporations  Former board member for NEOISF & co-host of the Security Justice podcast  Aspiring Ironman, amateur saberist I collaborate with my peers to identify and effectively manage risks which my clients are confronted with
  • 4. Jack Nichelson  Director of Infrastructure & Security for Chart Industries.  Executive MBA from Baldwin-Wallace University  Recognized as one of the “People Who Made a Difference in Security” by the SANS Institute and Received the CSO50 award for connecting security initiatives to business value.  Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense Competition (CCDC) team. I defend my companies competitive advantage by helping solve business problems through technology to work faster and safer. “Solving Problems, is my Passion”
  • 5. Acknowledgements  Dennis Sommer, COO SecureState  Steve Hendricks, CMO RedIron  Steve Holt, CIO Chart Industries  David Hilmer, VP & CIO Graftech  Matt LoPiccolo, VP & CIO Swagelok  Chuck Norman, Sr. Mgr. Swagelok  Carl Kessler, VP & CIO First Federal  Matt Neely, Dir. Strategy SecureState  Rich Wildermuth, Manager PWC  Craig Shular, CEO GrafTech  Tom Wojnarowski, CIO RITA  Troy Thomas, SVP Wells Fargo  Erick Asmussen, VP & CFO  Jason Middaugh, Mgr. Cliffs Special thanks to all of the mentors who have helped us through these lessons
  • 6. The Ten Habits Listening Positivity Know Your Stakeholders Service Just Say Maybe Don’t be the Smartest Guy in the Room Keep it Simple Execution Walk the Talk Self-Reflection
  • 8. Habit I: Listening “Listen, Learn and Then Lead”  Leading by Listening – Desire to help others  High Emotional Intelligence (EQ) is key, you need to care about everyone succeeding at personal & career goals  The day people stop bringing you problems is the day you stop leading  Act decisively, be firm yet sensitive and empathetic People want to be successful, so take the time to listen, respect, be humble and then help them reach their goals. Your IQ got you in the door, your EQ will get you to the boardroom
  • 9. Putting it into action “Good Leaders Ask Great Questions”  Listen to the total message  Prove your understanding by using nonverbal signals  Use open-ended questions & probes  Paraphrase what you hear and show understanding  Don’t just say “hi”, have a more personal conversation Effective managers spend a good part of their workday listening to other people and asking good questions. Effective listening includes a four-step process to ensure understanding:
  • 11. Habit II: Positivity  Security is often fixated on finding the negatives: missing patches, misconfigured systems. It becomes very easy to be Mr. Negativity  Security is often in a position of asking others for help, not dictating to them  Who would you rather help…someone encouraging, or discouraging?  Perpetual optimism is a force multiplier…if you provide positive energy, those around you will be willing to work much harder towards your goals To motivate those around you to take action, positivity will always trump negativity “Perpetual Optimism is a Force Multiplier” – Colin Powell
  • 12. Putting it into action  Aim to make “heroes” not “zeroes”  Actively look for ways to encourage and help your peers  Actively avoid “beating them up” with negativity  People want to be successful, help them accomplish their personal goals  Have conversations to learn what their personal goals are  Find projects that will help them achieve these  If you have knowledge or connections that could help, share them Using positivity to achieve your security goals takes several steps:
  • 13. Habit III: Know Your Stakeholders
  • 14. Habit III: Know Your Stakeholders  Security is about a lot more than just you  You are taking actions to protect assets in the stewardship of others  You are making choices which will impact the ways those around you conduct their business  No one cares what you know until you show them how much you care To make stuff that matters, you have to know what matters so work on solving the right problems.
  • 15. Putting it into action  Identify stakeholders in your security program  This is anyone affected by what you are doing  Could be execs, IT, sales, marketing, manufacturing, customers…anyone  Learn what their drivers are, both personal & professional  “Know their pain”  Plan to have “The meeting before the meeting”  Meet with stakeholders individually before bringing them together for a decision.  You’ll know the decision before the real meeting even happens Effective managers take the time to identify stakeholders and know their pain points.
  • 17. Habit IV: Service  Security is a support role…your job is to help others safely do the things that make your organization productive  You cannot do this job without help  Your employees are not subjects for you to dictate rules to…they are your customers  If you treat them well, they will be your “army of human sensors”, bringing you all kinds of useful intel, and helping to enforce policies you’ve developed to protect them We often focus on the problem and forget about the customer. They will forget the problem you solved before they forget how you made them feel.
  • 18. Putting it into action  Know who your customers are  Aim to create “stark raving fans”  Make sure they feel comfortable  Make sure they feel “heard”  Create a positive feedback loop To take care of your “customers”, keep the following steps in mind:
  • 19. Habit V: Just Say Maybe
  • 20. Habit V: Just Say Maybe  Security has often been the Department of “No”  Taking a hard stance as a “cyber policeman” can seem to work…until you become perceived as an obstacle  If you are an obstacle, process will begin to be routed around you Effective leadership requires compromise and empathy for the other person.
  • 21. Putting it into action  Identify the core requirements (Yours & Theirs)  Facilitate a Risk vs. Reward conversation to balance security  Resist the urge to be a “cyber policeman.”  Empathize with other’s problems…but still be comfortable taking a stand  Collaborate on the solution where everyone can win Don’t take a hard line on a topic before you have determined everyone's “must's” and “want’s”. This approach will ensure clear commutation, fair compromise and a better solution. It’s OK to be uncomfortable with the results
  • 22. Habit VI: Don’t Be the Smartest Guy in the Room
  • 23. Habit VI: Don’t Be the Smartest Guy in the Room  Many of us performed other IT roles before moving into security  This is often seen as a move “up”, which makes it easy to feel that you know your peers jobs as well as your own  We also often feel that no one is qualified to do the challenging job of security other than those of us currently charged with it  It is not your job to out-do or “call out” your peers  No one cares who came up with the idea, just that issues are solved To achieve results we need to build partnerships, not demonstrate knowledge
  • 24. Putting it into action  When in a meeting, listen more than you talk  Think very hard before speaking: are you contributing to the discussion, or are you demonstrating your knowledge?  Make your goal finding the best solution for an identified problem…not convincing everyone to accept your solution unchanged  Do not be afraid to let others fail…failure drives personal growth To build strong partnerships with their peers, an effective manager will strive to do the following in all of their social interactions
  • 25. Habit VII: Keep it Simple
  • 26. Habit VII: Keep it Simple  Security is a complex field, characterized by the convergence points between many others  It is your job to deal with this complexity, and distill it into simple actions for your stakeholders  Their main job is something else…when you’re asking for their help, you want it to be as simple and frictionless as possible  Be on a mission to be results oriented A quick win with a simple solution is better then holding your ground for the elegant solution. Don’t let perfect become the enemy of good.
  • 27. Putting it into action  Distill complex security problems into simple elevator pitches you can easily convey to multiple layers of your organization  Hone and practice your message, you will be repeating it often  Don’t become so invested in an elegant solution that you lose sight of the original problem  Find quick wins that you can chain together into larger ones “Fight the battles you can win” – Sun Tzu
  • 29. Habit VIII: Execution  This may seem obvious, but you need to execute on your plans  Because security is so dependent on others, its easy to develop plans which are never executed…and place the blame on others  We also often spend months, or years of long effort selling our ideas. Once others finally become bought-in, it can feel like the hard work is done  If you have a history of struggling with execution, others will not want to support new projects…no matter how significant the vulnerability you are addressing Have a plan, and execute, execute, execute
  • 30. Putting it into action  Once you have buy-in to security projects, have laser-focus on execution…you may not get a second chance to try it  Security does not make your company money. If a project stumbles or impacts the bottom line negatively, its easy to pull it out  Partner with others, but take responsibility for execution  Have a plan, follow it, measure your progress  Use a project manager if you can  You don’t know what you can get away with until you try it Security managers who move from simply identifying problems to achieving concrete results will typically follow these similar steps
  • 31. Habit VIII: Walk The Talk
  • 32. Habit VIII: Walk the Talk  In security it’s easy to feel we’re an exception to some of the rules  In some cases, we may actually need to be  As the “policeman” you must hold yourself to a higher standard, because there’s often no one else to hold you accountable  Follow the policies you set, or expect others to follow your lead in ignoring them You must lead by example, do not diminish your authority by disrespecting your rules
  • 33. Putting it into action  Maintain as few exceptions as possible, and be sure you have a strong justification for each  Cracked down on admin rights? Give thought to where you really need your own  Pushing standard server builds? Don’t maintain a security system with a “special” build because you don’t trust your server teams, or feel your requirements are unique  Follow any policies you’ve set to the tee, and do so visibly
  • 35. Habit X: Self-Reflection  In security we are often perfectionists…accepting failures can be a very difficult thing  Reality is, we will have them  Without awareness of your own strengths and weaknesses you will fail to meet your own potential, and continue to be stymied by the same obstacles The most important person for you to manage effectively is yourself. To grow personally and professionally you need to know yourself before you can help others. “Know the enemy and know yourself and you will never be defeated” – Sun Tzu
  • 36. Putting it into action  Put a lot of thought into identifying your own areas of weakness  Have a plan for improving these  These will be iterative improvements over time, not one-time things  More about the journey then the destination…you will stumble along the way  Work with a mentor  You need a second opinion on what your areas of weakness are  You also want someone to keep you honest in how you’re progressing Self-reflection is a challenge. Effective managers will follow these steps, repeat them often, and not be discouraged when they stumble along the way
  • 37. The Ten Habits Listening Positivity Know Your Stakeholders Service Just Say Maybe Don’t be the Smartest Guy in the Room Keep it Simple Execution Walk the Talk Self-Reflection
  • 38. References  You Don’t Need a Title to Be a Leader – Mark Sanborn  Five Temptations of a CEO - Patrick M. Lencioni  The Art of War for Managers – Gerald Michaelson/Sun Tzu  The Sandler Sales Method – David H Sandler  How to Win Friends and Influence People – Dale Carnegie Stephen Covey  The Fifth Discipline – Pete Senge  Leading Change – John Kotter  The Servant – James Hunter  The New Leaders 100 Day Action Plan – George Bradt  Good To Great – Jim Collins  Crucial Conversations – Kerry Patterson
  • 40. Q & A
  • 41. Networking  No time like the present to put your soft skills to work  Say hi to your neighbor…what can they teach you about this topic?

Editor's Notes

  1. Have you ever felt that the security problems you're faced with would be so simple to solve if only your colleagues had your perspective on them? Are you frustrated that security does not have a more prominent seat at the table? Often times identifying security problems and developing the appropriate controls is the easiest part of the security job. Getting our peers and superiors to buy-in to those solutions and understand the risk decisions they're making is an under-appreciated but arguably much more important part of our jobs in security.   Chris and Jack will share techniques that help to turn your employees into an army of human security sensors, to get security done regardless of where it sits on the org chart, and to earn major security victories even with a meager budget and a small team. Along the way you’ll learn about the “10 Critical Habits” which we have observed effective security leaders using to achieve their goals.
  2. Chris kicks off Why are we here – as we’ve moved through our careers, we’ve found that the technical problems are less and less of the challenge, and that soft skills seem to matter much more towards overall success in security. To better understand this ourselves, and to help our peers, we’ve spent the last several months having discussions with leaders across multiple What are our goals – to deliver 10 “habits” that we identified during a series of conversations with leaders in and out of security. This group felt that these habits all contributed greatly towards accomplishing goals
  3. Jack takes from here Discuss interviews over last several months, presentation is aggregated from conversations with this entire group
  4. These are the key lessons we have learned
  5. Jack: If there is consensus among these leaders, it is that it all comes down to listening, learning—and then leading Story: the listener becomes the “go-to” guy. Cheerful, approachable, actively asking how you can help and taking the time to listen to everything Jack is always invested in the success of those around him Story: Jack’s old CIO on the phone so jack can solve the problem Care about people
  6. Jack: meeting a problem head on, in a crisis your words have great impact Small acts of positivity build You become what you think about, people around you become what you are
  7. Jack: developing project charter & problem statement helped better understand who stakeholders were, and what matters to them Shift from compliance to IP (actual business assets)
  8. Jack: HR story. Sysadmin fixes her problem, but she didn’t feel heard, and did not understand the problem or solution
  9. Jack: dropbox
  10. Jack
  11. Hand off to Chris
  12. Chris – keeping mouth shut shows win…segment plan story. “pull” not a “push” Not “my” projects, “our” projects
  13. Chris: vulnerability management. Sharepoint site & Nessus versus enterprise VMP
  14. Chris: scans, laid out a plan and followed it…prepped people to expect ugly findings, scans on Sunday mornings Change orders in Follow-up with employee on hiccups from scans Noone took my gun away
  15. Chris: take away your own local admin before others. “soft power” How many of you have local admin yourself? How many of you have passphrases?
  16. This presentation germinated in a series of meetings with our mentors. Talking with external folks who’ve “been there before” gave tremendous perspective. Helped to see where we were falling down, and where despite resistance from our internal peers we were actually moving in the right direction. With security often being off on an island, this perspective can be hugely important. Chris: Tri story. Needed to work on patience, picked an endurance sport, iterative improvement over time